Of the many uses of the Internet, one of the more common ones is to access content on a remote server, such as a World Wide Web server. Typically, a person operates a client device to access content on a remote origin server over the Internet. The client may be, for example, a personal computer (PC) or a handheld device such as a personal digital assistant (PDA) or cellular telephone. The client often includes a software application known as a browser, which can provide this functionality. A person using the client typically operates the browser to locate and select content stored on the origin server, such as a web page or a multimedia file. In response to this user input, the browser sends a request for the content over the Internet to the origin server on which the content resides. In response, the origin server returns a response containing the requested content to the client, which outputs the content in the appropriate manner (e.g., it displays the web page or plays the audio file). The request and response may be communicated using well-known protocols, such as transmission control protocol/Internet protocol (TCP/IP) and hypertext transfer protocol (HTTP).
For a variety of reasons, it may be desirable to place a device known as a proxy logically between the client and the origin server. For example, organizations often use a proxy to provide a barrier between clients on their local area networks (LANs) and external sites on the Internet by presenting only a single network address to the external sites for all clients. A proxy normally forwards requests it receives from clients to the applicable origin server and forwards responses it receives from origin servers to the appropriate client. A proxy may provide authentication, authorization and/or accounting (AAA) operations to allow the organization to control and monitor clients' access to content. A proxy may also act as (or facilitate the use of) a firewall to prevent unauthorized access to clients by parties outside the LAN. Proxies are often used in this manner by corporations when, for example, a corporation wishes to control and restrict access by its employees to content on the Internet and to restrict access by outsiders to its internal corporate network. This mode of using a proxy is sometimes called “forward proxying”.
It is also common for a proxy to operate as a cache of content that resides on origin servers; such a device may be referred to as a “proxy cache”. An example of such a device is the NetCache product designed and manufactured by Network Appliance, Inc. of Sunnyvale, Calif. The main purpose of caching content is to reduce the latency associated with servicing content requests. By caching certain content locally, the proxy cache avoids the necessity of having to forward every content request over the network to the corresponding origin server and having to wait for a response. Instead, if the proxy cache receives a request for content which it has cached, it simply provides the requested content to the requesting client (subject to any required authentication and/or authorization) without involving the origin server.
Proxy caches may be used by corporations and other institutions in the forward proxying mode, as described above. Proxy caches are also commonly used by high-volume content providers to facilitate distribution of content from their origin servers to users in different countries or other geographic regions. This scenario is sometimes called “reverse proxying”. As an example of reverse proxying, a content provider may maintain proxy caches in various different countries to speed up access to its content by users in those countries and to allow users in different countries to receive content in their native languages. In that scenario the content provider “pushes” content from its origin servers to its proxy caches, from which content is provided to clients upon request.
Database-oriented authentication servers are often used in conjunction with proxy caches in order to restrict access to network content. The main purpose of an authentication server is to monitor and control user access to network content. The authentication server performs authentication, i.e., determines whether the user requesting access is who he claims to be, and the proxy cache performs authorization, i.e., determines whether the user is authorized to do what he is attempting to do. One way the proxy cache may be able to determine proper authorization is through an access control list (ACL). An ACL is defined by mechanisms and policies that restrict access to computer resources. An ACL specifies what operations different users can perform on specific files and directories. Various authentication protocols can be used to check usernames, passwords, and group memberships. Among them are Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), Kerberos, and Windows NT/LAN Manager Authentication Protocol (NTLM).
Commonly, there are many configuration parameters needed to configure a proxy cache for use with authentication protocols. As a result, the configuration process is often done incorrectly by network operators or administrators. This consumes the time of technical support personnel and can result in disruptions in network data traffic. Network operators and administrators are often unaware of their database layout and thus have difficulty configuring the proxy cache to work with their databases.